Entities involved in cryptography, science and research, security, military, communications and gaming industry applications, to name a few, all have present and growing needs for “entropy data,” such as random numbers. Because of severe computing restrictions, small size, limited power, limited bandwidth, limited finances, etc., some entities are unable to internally generate a sufficient quality or quantity of random numbers and are increasingly becoming forced to obtain high-quality and quantity entropy bits externally. With this in mind, it has been fairly suggested that “entropy vending” and “entropy server” architectures will become commonplace whereby data sources external to data recipients will supply the data recipients with entropy data.
As a practical matter, however, it is well known that obtaining truly random numbers for the above-mentioned and other applications is exceptionally difficult. Also, a problem exists regarding establishing confidence in external data sources when their trustworthiness is unknown, cannot be ascertained with certainty, or changes over time. Trustworthiness is relevant in that an attacker could gain access to the source in an attempt to manipulate entropy traffic for nefarious or corrupt purposes. It is also relevant in that the source may be inherently dishonest or incompetent, either at the outset or at some point in the future.
Regardless, it is essential that a recipient of vended (externally supplied) entropy data have some method of dealing with data-quality uncertainties. Such methods should also have a sound information-theoretic basis; allow for the use of policy around the dispositioning of entropy data; allow for logging or monitoring of entropy-related events for historical or future corrective-action reasons; be safe against attack; and be applicable to multi-source as well as single-source scenarios. Naturally, any improvements should further contemplate good engineering practices, such as relative inexpensiveness, stability, ease of implementation, low complexity, etc.